{"id":"MAL-2026-5802","summary":"Malicious code in cardano-addresses-docs (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9d99ae2a620ac8a3db31cde344d6d1e46914f785b3d5f4b8debdb20d64fa9c75)\npackage.json declares a preinstall hook (`node index.js`) that runs automatically on `npm install`. index.js collects host identifiers (os.hostname(), os.userInfo(), homedir, DNS servers, __dirname, full package.json) and reads /etc/passwd and /etc/hosts from the installer's machine, then HTTPS-POSTs the JSON payload to swsusmhg43tobo96re8dwn0vomudi46t.oastify.com — a Burp Collaborator out-of-band domain. The package has empty author, empty description, no real functionality, and a name impersonating the legitimate cardano-addresses Cardano library — consistent with a dependency-confusion / typosquat reconnaissance payload.\n","modified":"2026-06-15T19:06:36.830181347Z","published":"2026-06-15T18:26:01Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006657","import_time":"2026-06-15T18:54:56.321338173Z","versions":["1.0.1"],"sha256":"12312d4129dbe9579e9b2acc3761b1237f427ced1324198f61d13d349bced45a","modified_time":"2026-06-15T18:26:02Z","source":"amazon-inspector"},{"id":"IN-MAL-2026-006656","modified_time":"2026-06-15T18:26:01Z","versions":["1.0.1"],"sha256":"9d99ae2a620ac8a3db31cde344d6d1e46914f785b3d5f4b8debdb20d64fa9c75","import_time":"2026-06-15T18:54:56.235793458Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cardano-addresses-docs/v/1.0.1"}],"affected":[{"package":{"name":"cardano-addresses-docs","ecosystem":"npm","purl":"pkg:npm/cardano-addresses-docs"},"versions":["1.0.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cardano-addresses-docs/MAL-2026-5802.json","indicators":{"ips":["3.248.33.252","54.77.139.23"],"domains":["swsusmhg43tobo96re8dwn0vomudi46t.oastify.com"],"evidence_files":[{"path":"index.js","tlsh":"e1411195a2d917330de210c0aa0c70813359fa767259a89076cf42d6af869f8b7226f3","sha256":"23e4dbfd1ac0ec73b0c23682e261be4ba8341d1246d913b2407ba2602fa25016"},{"path":"package.json","tlsh":"69d0a7304e22a53325c606a64c2b948772618f6f04083c0867df582c92ee677acff32c","sha256":"3f47626e2493e3920b5c3ac40314775728864eacbe21bf55fa9829e37c773c3d"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-i6tV1JmWrsvv+d4iPlhkk1iU0seR1aDY9GLxHv3h6w9YOpybMVhhJeJscYyQwEviSjUXA1gF8WHv/zha3JiC4w==","sha1":"deff72c5897c46748b89749362d135fde1f945c1"},"filename":"cardano-addresses-docs-1.0.1.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}